How To Use OpenAM For OAuth 2.0/OIDC Federation?
up vote
0
down vote
favorite
Here's the situation:
- We have some legacy system. Using simple User/Password authentication + session cookies. (And not using OpenAM)
- We are trying to provide new services to another orginazation and among other things, we are obliged to accept their users as authenticated, automatically, upon redirection from their web application. We need Federated Identity. And we have chosen OpenAM as our new IAM, but our user data is still in legacy system and their users will be registered into the legacy systems too. For now the users won't be aggregated into OpenAM's database
So the rough idea for any federation scenario for us would be like this:
They redirect their user to our OpenAM endpoint which takes a JWT (An OIDC token?) signed by their IdP, which we "trust", and somehow based on the content of that, OpenAM issues another JWT token & redirects the user again to the legacy system with the new bearer token.
Developers at the legacy system will create some custom code to verify and read the claims inside the JWT token. based on the claims, they create an authenticated, privileged session for the user.
I looked and found two possible solutions:
The JWT from their IdP is used to start an OAuth2.0 implicit flow + using their JWT for client authentication (as per RFC-7523). Then the user will use the access token. But:
- I want to put the claims from the first JWT (some of them are custom) into the access token so that the legacy system use that information to lookup the user in the legacy DB and create the session. How do I tell OpenAM to include these claims in the access token? Note that there are no information about their users in OpenAM database. Just the claims from the token.
- Also looks like we are authenticating their IdP and not the user. Because the JWT client authentication uses their IdP's public key to verify the token's signature. How do I tell OpenAM that this token is meant for the "sub" of that JWT?
Use the Rest STS(Security Token Service) in OpenAM (OIDC -> OIDC). This kinda looks better suited for our situation but I don't know how to tell the OpenAM to verify their tokens. The documentation doesn't seem to provide any measures to verify the tokens? (Maybe some place to add their public key?)
oauth-2.0 openam oidc
asked Nov 10 at 16:39
Hossein
468
add a comment |
up vote
0
down vote
favorite
Here's the situation:
- We have some legacy system. Using simple User/Password authentication + session cookies. (And not using OpenAM)
- We are trying to provide new services to another orginazation and among other things, we are obliged to accept their users as authenticated, automatically, upon redirection from their web application. We need Federated Identity. And we have chosen OpenAM as our new IAM, but our user data is still in legacy system and their users will be registered into the legacy systems too. For now the users won't be aggregated into OpenAM's database
So the rough idea for any federation scenario for us would be like this:
They redirect their user to our OpenAM endpoint which takes a JWT (An OIDC token?) signed by their IdP, which we "trust", and somehow based on the content of that, OpenAM issues another JWT token & redirects the user again to the legacy system with the new bearer token.
Developers at the legacy system will create some custom code to verify and read the claims inside the JWT token. based on the claims, they create an authenticated, privileged session for the user.
I looked and found two possible solutions:
The JWT from their IdP is used to start an OAuth2.0 implicit flow + using their JWT for client authentication (as per RFC-7523). Then the user will use the access token. But:
- I want to put the claims from the first JWT (some of them are custom) into the access token so that the legacy system use that information to lookup the user in the legacy DB and create the session. How do I tell OpenAM to include these claims in the access token? Note that there are no information about their users in OpenAM database. Just the claims from the token.
- Also looks like we are authenticating their IdP and not the user. Because the JWT client authentication uses their IdP's public key to verify the token's signature. How do I tell OpenAM that this token is meant for the "sub" of that JWT?
Use the Rest STS(Security Token Service) in OpenAM (OIDC -> OIDC). This kinda looks better suited for our situation but I don't know how to tell the OpenAM to verify their tokens. The documentation doesn't seem to provide any measures to verify the tokens? (Maybe some place to add their public key?)
oauth-2.0 openam oidc
asked Nov 10 at 16:39
Hossein
468
Please feel free to tell me if I'm thinking it dead wrong!
– Hossein
Nov 10 at 16:49
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Here's the situation:
- We have some legacy system. Using simple User/Password authentication + session cookies. (And not using OpenAM)
- We are trying to provide new services to another orginazation and among other things, we are obliged to accept their users as authenticated, automatically, upon redirection from their web application. We need Federated Identity. And we have chosen OpenAM as our new IAM, but our user data is still in legacy system and their users will be registered into the legacy systems too. For now the users won't be aggregated into OpenAM's database
So the rough idea for any federation scenario for us would be like this:
They redirect their user to our OpenAM endpoint which takes a JWT (An OIDC token?) signed by their IdP, which we "trust", and somehow based on the content of that, OpenAM issues another JWT token & redirects the user again to the legacy system with the new bearer token.
Developers at the legacy system will create some custom code to verify and read the claims inside the JWT token. based on the claims, they create an authenticated, privileged session for the user.
I looked and found two possible solutions:
The JWT from their IdP is used to start an OAuth2.0 implicit flow + using their JWT for client authentication (as per RFC-7523). Then the user will use the access token. But:
- I want to put the claims from the first JWT (some of them are custom) into the access token so that the legacy system use that information to lookup the user in the legacy DB and create the session. How do I tell OpenAM to include these claims in the access token? Note that there are no information about their users in OpenAM database. Just the claims from the token.
- Also looks like we are authenticating their IdP and not the user. Because the JWT client authentication uses their IdP's public key to verify the token's signature. How do I tell OpenAM that this token is meant for the "sub" of that JWT?
Use the Rest STS(Security Token Service) in OpenAM (OIDC -> OIDC). This kinda looks better suited for our situation but I don't know how to tell the OpenAM to verify their tokens. The documentation doesn't seem to provide any measures to verify the tokens? (Maybe some place to add their public key?)
oauth-2.0 openam oidc
asked Nov 10 at 16:39
Hossein
468
Here's the situation:
- We have some legacy system. Using simple User/Password authentication + session cookies. (And not using OpenAM)
- We are trying to provide new services to another orginazation and among other things, we are obliged to accept their users as authenticated, automatically, upon redirection from their web application. We need Federated Identity. And we have chosen OpenAM as our new IAM, but our user data is still in legacy system and their users will be registered into the legacy systems too. For now the users won't be aggregated into OpenAM's database
So the rough idea for any federation scenario for us would be like this:
They redirect their user to our OpenAM endpoint which takes a JWT (An OIDC token?) signed by their IdP, which we "trust", and somehow based on the content of that, OpenAM issues another JWT token & redirects the user again to the legacy system with the new bearer token.
Developers at the legacy system will create some custom code to verify and read the claims inside the JWT token. based on the claims, they create an authenticated, privileged session for the user.
I looked and found two possible solutions:
The JWT from their IdP is used to start an OAuth2.0 implicit flow + using their JWT for client authentication (as per RFC-7523). Then the user will use the access token. But:
- I want to put the claims from the first JWT (some of them are custom) into the access token so that the legacy system use that information to lookup the user in the legacy DB and create the session. How do I tell OpenAM to include these claims in the access token? Note that there are no information about their users in OpenAM database. Just the claims from the token.
- Also looks like we are authenticating their IdP and not the user. Because the JWT client authentication uses their IdP's public key to verify the token's signature. How do I tell OpenAM that this token is meant for the "sub" of that JWT?
Use the Rest STS(Security Token Service) in OpenAM (OIDC -> OIDC). This kinda looks better suited for our situation but I don't know how to tell the OpenAM to verify their tokens. The documentation doesn't seem to provide any measures to verify the tokens? (Maybe some place to add their public key?)
oauth-2.0 openam oidc
oauth-2.0 openam oidc
asked Nov 10 at 16:39
Hossein
468
asked Nov 10 at 16:39
Hossein
468
edited Nov 11 at 4:27
asked Nov 10 at 16:39
Hossein
468
asked Nov 10 at 16:39
Hossein
468
asked Nov 10 at 16:39
Hossein
468
468
Please feel free to tell me if I'm thinking it dead wrong!
– Hossein
Nov 10 at 16:49
add a comment |
Please feel free to tell me if I'm thinking it dead wrong!
– Hossein
Nov 10 at 16:49
Please feel free to tell me if I'm thinking it dead wrong!
– Hossein
Nov 10 at 16:49
Please feel free to tell me if I'm thinking it dead wrong!
– Hossein
Nov 10 at 16:49
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53241085%2fhow-to-use-openam-for-oauth-2-0-oidc-federation%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Please feel free to tell me if I'm thinking it dead wrong!
– Hossein
Nov 10 at 16:49